1 00:00:00,380 --> 00:00:02,040 Key frameworks. 2 00:00:02,040 --> 00:00:03,620 In this lesson, we're going to talk 3 00:00:03,620 --> 00:00:06,070 about a couple of different frameworks that are covered 4 00:00:06,070 --> 00:00:08,860 by the objectives of the Security+ exam. 5 00:00:08,860 --> 00:00:09,960 Now, the first one we're going to talk 6 00:00:09,960 --> 00:00:13,010 about is the Center for Internet Security or CIS. 7 00:00:13,010 --> 00:00:14,750 The Center for Internet Security, 8 00:00:14,750 --> 00:00:16,120 creates a framework that's based 9 00:00:16,120 --> 00:00:19,030 on a consensus-developed secure configuration guidelines 10 00:00:19,030 --> 00:00:21,600 for hardening, these are known as benchmarks, 11 00:00:21,600 --> 00:00:23,930 as well as some prescriptive, prioritize 12 00:00:23,930 --> 00:00:27,120 and simplified sets of cyber security best practices, 13 00:00:27,120 --> 00:00:29,370 these are known as configuration guides. 14 00:00:29,370 --> 00:00:30,760 Now, when we look at benchmarks, 15 00:00:30,760 --> 00:00:33,940 this tells us what are the things that we should be using 16 00:00:33,940 --> 00:00:37,200 as we go through and make sure our systems are up to snuff. 17 00:00:37,200 --> 00:00:38,930 When we look at the configuration guides, 18 00:00:38,930 --> 00:00:41,260 this will be actually step by step instructions. 19 00:00:41,260 --> 00:00:44,090 For instance, if you're running a Windows 10 machine, 20 00:00:44,090 --> 00:00:46,460 you should go and set up these configurations 21 00:00:46,460 --> 00:00:48,830 to make sure it's secure and ready for users. 22 00:00:48,830 --> 00:00:50,460 The next framework we're going to cover is known 23 00:00:50,460 --> 00:00:53,730 as the Risk Management Framework or RMF. 24 00:00:53,730 --> 00:00:56,240 Now, RMF is something has become very popular 25 00:00:56,240 --> 00:00:57,490 in recent years. 26 00:00:57,490 --> 00:00:59,600 This is a process that integrates security 27 00:00:59,600 --> 00:01:01,150 and risk management activities 28 00:01:01,150 --> 00:01:03,910 into the system development lifecycle early on. 29 00:01:03,910 --> 00:01:05,490 This way, we can do this as an approach 30 00:01:05,490 --> 00:01:07,130 to security control selection 31 00:01:07,130 --> 00:01:09,720 and specification that considers the effectiveness, 32 00:01:09,720 --> 00:01:13,120 efficiency and constraints due to the different laws, 33 00:01:13,120 --> 00:01:15,690 directives, executive orders, policies, 34 00:01:15,690 --> 00:01:17,660 standards, and regulations. 35 00:01:17,660 --> 00:01:19,330 Now I know this is a mouthful, 36 00:01:19,330 --> 00:01:21,350 but the reason why we have all these different types 37 00:01:21,350 --> 00:01:23,630 of laws and regulations and policies is 38 00:01:23,630 --> 00:01:27,140 because RMF was developed for the federal government's use. 39 00:01:27,140 --> 00:01:28,860 If you work for the federal government 40 00:01:28,860 --> 00:01:30,970 or as a contractor for the federal government, 41 00:01:30,970 --> 00:01:32,230 you are probably going to be using 42 00:01:32,230 --> 00:01:34,290 the Risk Management Framework. 43 00:01:34,290 --> 00:01:35,870 When you look at the Risk Management Framework, 44 00:01:35,870 --> 00:01:38,520 there is lots of pieces that make this thing up. 45 00:01:38,520 --> 00:01:39,830 As you go through the different steps, 46 00:01:39,830 --> 00:01:41,610 you're going to start with preparation. 47 00:01:41,610 --> 00:01:42,730 After you prepare, 48 00:01:42,730 --> 00:01:44,820 you're going to go ahead and categorize your systems. 49 00:01:44,820 --> 00:01:46,760 You're going to select the different controls you want, 50 00:01:46,760 --> 00:01:48,480 you're going to implement those controls, 51 00:01:48,480 --> 00:01:50,050 you're going to assess those controls, 52 00:01:50,050 --> 00:01:51,440 you're going to authorize the system 53 00:01:51,440 --> 00:01:53,570 and you're going to monitor those controls for effectiveness. 54 00:01:53,570 --> 00:01:55,700 And this happens in a loop as it goes around. 55 00:01:55,700 --> 00:01:58,470 And there's preparation that happens for each of these. 56 00:01:58,470 --> 00:01:59,970 Now, as you can see, there are lots 57 00:01:59,970 --> 00:02:00,920 of different publications 58 00:02:00,920 --> 00:02:03,090 that help you understand the Risk Management Framework, 59 00:02:03,090 --> 00:02:05,410 including NIST special publications shown 60 00:02:05,410 --> 00:02:07,180 on the outside ring there as well 61 00:02:07,180 --> 00:02:09,140 as some other FIPS instructions. 62 00:02:09,140 --> 00:02:10,880 Do you have to know all of these for the exam? 63 00:02:10,880 --> 00:02:12,520 No, not at all. 64 00:02:12,520 --> 00:02:13,353 You should just know 65 00:02:13,353 --> 00:02:15,020 that the Risk Management Framework is made 66 00:02:15,020 --> 00:02:18,260 by NIST and it's used in federal government systems. 67 00:02:18,260 --> 00:02:19,093 The other one that's made 68 00:02:19,093 --> 00:02:22,970 by NIST is known as the Cybersecurity Framework or CSF. 69 00:02:22,970 --> 00:02:23,803 This is a set 70 00:02:23,803 --> 00:02:25,820 of industry standards and best practices 71 00:02:25,820 --> 00:02:27,150 that were created by NIST 72 00:02:27,150 --> 00:02:30,480 to help organizations manage their cyber security risks. 73 00:02:30,480 --> 00:02:33,057 Often, you will find that Risk Management Framework 74 00:02:33,057 --> 00:02:36,990 and the CSF work together inside of an organization. 75 00:02:36,990 --> 00:02:39,260 When you look at CSF, it's going to start out 76 00:02:39,260 --> 00:02:42,030 with some five basic functional areas. 77 00:02:42,030 --> 00:02:46,600 These are identify, protect, detect, respond, and recover. 78 00:02:46,600 --> 00:02:48,410 And these are basically the five phases 79 00:02:48,410 --> 00:02:51,000 that you're going to do inside of cybersecurity. 80 00:02:51,000 --> 00:02:53,560 Now, under those, we have categories. 81 00:02:53,560 --> 00:02:54,780 For instance, here on my screen, 82 00:02:54,780 --> 00:02:56,690 you can see things like asset management, 83 00:02:56,690 --> 00:02:59,980 the business environment, governance, risk assessment, 84 00:02:59,980 --> 00:03:01,210 if we dropped down a little bit further, 85 00:03:01,210 --> 00:03:03,460 awareness and training and data security, 86 00:03:03,460 --> 00:03:05,480 even further, we have anomalies and events 87 00:03:05,480 --> 00:03:08,310 that have to be detected and the detection processes. 88 00:03:08,310 --> 00:03:10,060 As you can see all these is basic categories 89 00:03:10,060 --> 00:03:13,230 and under those, we have sub categories as well. 90 00:03:13,230 --> 00:03:15,810 And so because this is a federal government system, 91 00:03:15,810 --> 00:03:18,850 there are layers upon layers of complexity to it. 92 00:03:18,850 --> 00:03:21,150 Again, it's not something you need to know in depth 93 00:03:21,150 --> 00:03:23,010 for the exam, but you should be aware 94 00:03:23,010 --> 00:03:26,450 that the CSF, the Cyber Security Framework is made by NIST, 95 00:03:26,450 --> 00:03:27,400 and you should be aware 96 00:03:27,400 --> 00:03:29,800 of the five category functions that we have, 97 00:03:29,800 --> 00:03:34,290 identify, protect, detect, respond, and recover. 98 00:03:34,290 --> 00:03:35,470 The next framework we're going to talk 99 00:03:35,470 --> 00:03:37,290 about is an international one. 100 00:03:37,290 --> 00:03:40,800 This is known as ISO 27001. 101 00:03:40,800 --> 00:03:43,840 ISO is the International Organization for Standardization. 102 00:03:43,840 --> 00:03:45,430 And this is an international standard 103 00:03:45,430 --> 00:03:48,310 that details the requirements for establishing, implementing 104 00:03:48,310 --> 00:03:50,250 maintaining, and continually improving 105 00:03:50,250 --> 00:03:54,200 an information security management system or ISMS. 106 00:03:54,200 --> 00:03:57,740 Now, when you hear ISO 27001, I just want you to think 107 00:03:57,740 --> 00:03:59,870 about the fact that this is a basic procedure 108 00:03:59,870 --> 00:04:03,170 for cyber security, and it is an international standard. 109 00:04:03,170 --> 00:04:06,690 The next one we have is ISO 27002. 110 00:04:06,690 --> 00:04:08,800 This again is an international standard 111 00:04:08,800 --> 00:04:10,880 and it provides best practice recommendations 112 00:04:10,880 --> 00:04:12,890 on information security controls 113 00:04:12,890 --> 00:04:14,660 for use for those responsible, 114 00:04:14,660 --> 00:04:17,140 for initiating, implementing, or maintaining 115 00:04:17,140 --> 00:04:20,670 information security management systems, ISMSs. 116 00:04:20,670 --> 00:04:22,960 So again, you can see how 27001 117 00:04:22,960 --> 00:04:25,870 and 27002 could work together. 118 00:04:25,870 --> 00:04:28,620 With 27001, we're talking about the requirements 119 00:04:28,620 --> 00:04:31,000 for establishing and maintaining these systems. 120 00:04:31,000 --> 00:04:34,080 When we're talking about 27002, we're talking specifically 121 00:04:34,080 --> 00:04:35,720 about the controls that we're going to choose 122 00:04:35,720 --> 00:04:37,600 to protect those systems. 123 00:04:37,600 --> 00:04:41,160 Next, we have the ISO 27701. 124 00:04:41,160 --> 00:04:43,020 This again is an international standard 125 00:04:43,020 --> 00:04:47,480 and it acts as a privacy extension to the ISO 27001. 126 00:04:47,480 --> 00:04:50,200 It's used to enhance the existing ISMS 127 00:04:50,200 --> 00:04:51,350 with additional requirements 128 00:04:51,350 --> 00:04:53,930 in order to establish, implement, maintain, 129 00:04:53,930 --> 00:04:55,140 and continually improve 130 00:04:55,140 --> 00:04:57,560 privacy information management systems. 131 00:04:57,560 --> 00:05:02,020 So if you have 27001, that's your information systems. 132 00:05:02,020 --> 00:05:03,468 If you have 27002, 133 00:05:03,468 --> 00:05:06,050 that's the controls to protect those systems. 134 00:05:06,050 --> 00:05:08,240 When you talk about 27701, 135 00:05:08,240 --> 00:05:10,800 you're talking about adding privacy on top of that. 136 00:05:10,800 --> 00:05:12,670 The final international standard we want to talk 137 00:05:12,670 --> 00:05:15,240 about is ISO 31000. 138 00:05:15,240 --> 00:05:16,670 This is an international standard 139 00:05:16,670 --> 00:05:18,410 for enterprise risk management, 140 00:05:18,410 --> 00:05:21,080 and it provides a universally recognized paradigm 141 00:05:21,080 --> 00:05:22,630 for practitioners and companies 142 00:05:22,630 --> 00:05:24,590 to employ risk management processes 143 00:05:24,590 --> 00:05:26,830 to replace the myriad of existing standards, 144 00:05:26,830 --> 00:05:29,570 methodologies, and paradigms that differed 145 00:05:29,570 --> 00:05:33,230 between different industries, subject matters and regions. 146 00:05:33,230 --> 00:05:34,860 So essentially, if you think 147 00:05:34,860 --> 00:05:36,840 about risk management framework, the RMF, 148 00:05:36,840 --> 00:05:38,630 how it's used in the United States, 149 00:05:38,630 --> 00:05:42,200 the ISO 31000 was trying to do this globally. 150 00:05:42,200 --> 00:05:44,270 They're trying to figure out how we can make everybody use 151 00:05:44,270 --> 00:05:46,780 the exact same Risk Management Framework, 152 00:05:46,780 --> 00:05:49,850 and that's where ISO 31000 comes into play. 153 00:05:49,850 --> 00:05:51,160 Now, the next framework we're going to talk 154 00:05:51,160 --> 00:05:53,690 about is System and Organization Controls, 155 00:05:53,690 --> 00:05:55,440 also known as SOC. 156 00:05:55,440 --> 00:05:57,880 Now, this is a suite of reports are going to be produced 157 00:05:57,880 --> 00:05:58,820 during an audit. 158 00:05:58,820 --> 00:05:59,730 And this is going to be used 159 00:05:59,730 --> 00:06:02,720 by service organizations to issue validated reports 160 00:06:02,720 --> 00:06:05,680 of internal controls over those information systems 161 00:06:05,680 --> 00:06:08,020 to the users of those services. 162 00:06:08,020 --> 00:06:10,720 Now, if you're going to go ahead and get a SOC audit done, 163 00:06:10,720 --> 00:06:12,480 this is going to be something is going to be used 164 00:06:12,480 --> 00:06:14,870 in conjunction with some of your other frameworks. 165 00:06:14,870 --> 00:06:18,800 So if you're using NIST RMF or NIST Cybersecurity Framework, 166 00:06:18,800 --> 00:06:21,180 that tells you what controls you wanted to put in place. 167 00:06:21,180 --> 00:06:23,720 The SOC is going to do the audit of those controls 168 00:06:23,720 --> 00:06:25,620 and make sure you're in compliance. 169 00:06:25,620 --> 00:06:28,140 Now on your objectives, they mentioned two terms. 170 00:06:28,140 --> 00:06:29,790 They mentioned the SOC two 171 00:06:29,790 --> 00:06:33,530 and they mentioned type two underneath this idea of a SOC. 172 00:06:33,530 --> 00:06:35,160 When we talk about SOC two, 173 00:06:35,160 --> 00:06:38,060 this means it is a trusted services criteria. 174 00:06:38,060 --> 00:06:39,440 And this is basically when you go and look 175 00:06:39,440 --> 00:06:40,900 at the manual for SOC, 176 00:06:40,900 --> 00:06:42,610 it you'll tell you what those requirements are 177 00:06:42,610 --> 00:06:43,690 as part of that audit. 178 00:06:43,690 --> 00:06:46,400 That's what the trusted services criteria is used for. 179 00:06:46,400 --> 00:06:47,990 Now, when I talk about the type two. 180 00:06:47,990 --> 00:06:50,290 This is going to address the operational effectiveness 181 00:06:50,290 --> 00:06:53,520 of the specified control over a given period of time. 182 00:06:53,520 --> 00:06:55,850 Normally, that's going to be 9 to 12 months. 183 00:06:55,850 --> 00:06:57,540 So if I'm doing an audit and I'm looking 184 00:06:57,540 --> 00:06:59,260 to make sure you have multifactor authentication 185 00:06:59,260 --> 00:07:01,440 to prevent people from logging onto your systems, 186 00:07:01,440 --> 00:07:04,190 I can then say how effective is your implementation 187 00:07:04,190 --> 00:07:07,340 of multifactor authentication over a 9 to 12 month period 188 00:07:07,340 --> 00:07:09,270 and I can put that into my report as well, 189 00:07:09,270 --> 00:07:12,640 if I'm doing a SOC two, type two report. 190 00:07:12,640 --> 00:07:13,770 The next framework we want to talk 191 00:07:13,770 --> 00:07:16,270 about comes from the Cloud Security Alliance. 192 00:07:16,270 --> 00:07:18,610 It is the Cloud Control Matrix. 193 00:07:18,610 --> 00:07:19,950 This is a framework that's designed 194 00:07:19,950 --> 00:07:22,130 to provide fundamental security principles 195 00:07:22,130 --> 00:07:23,370 to guide cloud vendors 196 00:07:23,370 --> 00:07:25,480 and to assist prospective cloud customers 197 00:07:25,480 --> 00:07:27,520 in assessing the overall security risk 198 00:07:27,520 --> 00:07:29,270 of a given cloud provider. 199 00:07:29,270 --> 00:07:32,030 So if you're trying to decide are you going to go with Azure 200 00:07:32,030 --> 00:07:34,080 or AWS or Google cloud, 201 00:07:34,080 --> 00:07:36,280 you can run it through your Cloud Control Matrix 202 00:07:36,280 --> 00:07:38,380 to figure out which one is best going to meet your needs 203 00:07:38,380 --> 00:07:40,520 and provide you the best security. 204 00:07:40,520 --> 00:07:41,790 Now, the final thing we want to talk 205 00:07:41,790 --> 00:07:44,220 about also comes from the Cloud Security Alliance 206 00:07:44,220 --> 00:07:46,450 and it's the Reference Architecture. 207 00:07:46,450 --> 00:07:48,840 This is a methodology and a set of tools 208 00:07:48,840 --> 00:07:51,700 that enable security architects, enterprise architects 209 00:07:51,700 --> 00:07:54,580 and risk management professionals to leverage a common set 210 00:07:54,580 --> 00:07:56,950 of solutions that fulfill their common needs 211 00:07:56,950 --> 00:07:59,630 to be able to assess where their internal IT 212 00:07:59,630 --> 00:08:01,260 and their cloud providers are 213 00:08:01,260 --> 00:08:04,400 in terms of security capabilities, and to plan a roadmap 214 00:08:04,400 --> 00:08:06,830 to meet the security needs of their business. 215 00:08:06,830 --> 00:08:09,500 Essentially, when we talk about a reference architecture, 216 00:08:09,500 --> 00:08:12,250 we're saying, this is the thing we're going to build towards, 217 00:08:12,250 --> 00:08:14,240 this is how we want to build this thing 218 00:08:14,240 --> 00:08:15,740 to make sure it's secure. 219 00:08:15,740 --> 00:08:17,720 Now, once we do that over time, 220 00:08:17,720 --> 00:08:20,560 that may change and things go and deviate away 221 00:08:20,560 --> 00:08:22,130 from that reference architecture, 222 00:08:22,130 --> 00:08:24,000 that's when we go away from baseline, 223 00:08:24,000 --> 00:08:26,230 but what we designed as a reference architecture 224 00:08:26,230 --> 00:08:28,340 gives us the outline of what we want 225 00:08:28,340 --> 00:08:30,030 and how we want everything to match up 226 00:08:30,030 --> 00:08:31,680 so we can have the best security 227 00:08:31,680 --> 00:08:34,463 and we meet our roadmap to meet those needs.